PCI 3.0, Part 1: Breathe, Relax, Get Compliant

As many in the e-commerce space know, the PCI DSS 3.0 standard took effect on Jan. 1; organizations have until the end of the year to transition their compliance programs. It's important to understand these changes weren't created just to deliver some arbitrary vision of compliance. They reflect a payment IT landscape that grows riskier and more complex every day.

By Kurt Hagerman
02/18/14 5:00 AM PT

Aimed at improving the security of payment card data and reducing fraud,
PCI DSS 3.0 standard, which took effect on Jan. 1, introduces changes that extend across all 12 requirements. It no doubt will mean some shakeups for many organizations when it comes to their day-to-day culture and operations. That's not a bad thing, because transitioning to meet the new requirements will help e-businesses build a stronger, safer, lower-risk environment for their customers.

This winter alone has been dominated by stories of breaches impacting Target, Neiman Marcus, and the Marriott, Sheraton and Hilton hotels -- just to name a few. While the growing number of digital payment avenues offers convenience to customers, it also offers a larger attack surface for criminals.

As cloud technologies and e-commerce environments continue to grow, creating multiple points of access to cardholder data, online retailers will only become more appealing targets for hackers. Cybercriminals are cunning and determined, and they understand payment card infrastructures as well as the engineers who design them.

That's a scary proposition -- and it's exactly why the payment card industry is so determined to help keep e-commerce organizations protected. By meeting the new standard, businesses will be better armed to fight evolving threats. The changes also will drive more consistency among assessors, help businesses reduce risk of compromise, and create more transparent provider-customer relationships.

If you're thinking that transitioning to 3.0 will involve some work, you're right -- but doing that work on the front end is going to save you much more work down the line. Adopting the new standard ultimately will drive your e-commerce business into more a secure and efficient era.

Changes Overview

So what exactly do the 3.0 changes mean for your e-commerce organization? How much work lands on your plate will depend on your current security program -- but examining your current security strategies and programs is never a bad idea. Take a look below at the areas requiring your attention, which this series will explore in more detail in future installments.

Operational Changes: The 3.0 standard addresses common vulnerabilities that probably will ring a bell with many of you. These include weak passwords and authentication procedures, as well as insufficient malware detection systems and vulnerability assessments, just to name a few. Depending on your current security controls program, this could mean you'll need to step up in these areas by strengthening credential requirements, resolving self-detection challenges, testing and documenting your cardholder data environment, and making other corrections.

Cultural Changes: One of the main themes of 3.0 is shifting from an annual compliance approach to embedding security in your daily processes. Threats don't change just once a year; they are constantly evolving, and that means e-commerce organizations must adopt a culture of vigilance. Only through a proactive business-as-usual approach to security can you achieve true DSS compliance. Realistically, this could mean the need to provide more education and build awareness with your staff, partners and providers, so that everyone understands why and how your new processes are in place.

Service Provider Changes: When it comes to third-party providers, some organizations have made unsafe assumptions in the past -- and some have paid the price, from failed audits to breaches. This is one reason the new standard is designed to eliminate any confusion over compliance responsibilities. Specifically, responsibilities for security, operations, management and reporting all will need to be spelled out in detailed contracts. In addition to improved communication, an intensified focus on transparency means that you should have a clear view of your provider's infrastructure, data storage and security controls, along with subcontractors that can impact your environment. So if your organization isn't exactly clear on which PCI DSS requirements you manage and which ones your providers handle, prepare to get all of that hammered out.

The Rewards of Compliance

If all of this sounds like a lot of work, don't worry. The rest of our series will guide you down the path to preparing for the 3.0 deadline in January 2015. To get started right now, request your QSA's opinion on how the changes will impact your organization. By doing a gap assessment now, you'll be able to address any shortcomings before crunch time.

Remember that meeting the new 3.0 requirements isn't just about passing audits. In our fast-paced payment IT landscape, staying smart and protected is part of our commitment to our customers. Beef up your security game, and you'll not only reduce audit headaches, but also enjoy a stronger brand reputation as a safe and reliable e-commerce business.

As chief information security officer for
FireHost, Kurt Hagerman is responsible for all aspects of security and compliance for both corporate- and customer-facing products. He is responsible for leading FireHost in attaining ISO, PCI, HIPAA and other certifications.